ICO Consultation - Direct Marketing Code of Practice 
Response from Data Locator Group Ltd 


March 2020 


Overview: 
Direct Marketing plays an important role in both society and the economy. 


It helps shape the lives of consumers by providing access to a wide range of products and services that they would 
otherwise be prevented from seeing. Direct Marketing also enables small and medium size businesses to remain 
competitive, and indeed viable, by reducing wastage and targeting their marketing communication to a relevant 


audience. 


We welcome the introduction of a statutory code. One that will help maintain the high standards and ensure a 


level playing field for responsible practitioners of direct marketing. 


However, in its current form the code focuses only on the negative aspects of direct marketing. There are also 


certain aspects of the draft Code that are misleading and confusing. This creates a real threat to the industry. 


A decline in direct marketing would see a move towards non-targeted above-the-line activity - activity which only 
large blue-chip organisations could afford. There would be an even greater dependency on the large media 
platforms such as Google and Facebook. Marketers would have to turn to non-targeted activities, often considered 
environmentally unfriendly junk mail. There could be a significant anti-competitive impact to SMEs who would be 


unable to access cost effective marketing or be unable to introduce new innovative products to market. 
Direct marketing plays a crucial role and this could set the industry back over twenty years. 


Responsible direct marketing practitioners have worked hard over recent years to meet the demands of the new 
regulations, which is illustrated by a 22% reduction in PECR complaints across the industry since 2017. Through 
collaboration and industry support this could reduce further. For example, 38% of all PECR complaints are from 
accident claims, an FCA regulated sector. Therefore, new sector-specific rules could be introduced which would 
make a material difference, rather than the industry-wide pressures that parts of the Code will undoubtedly bring. 


In short, the actions of a few shouldn’t ruin the good work of the many. 


We want direct marketing to continue to grow and be an important part of the economy. We need a Code to 


support the future of direct marketing, whilst protecting consumers from nuisance and harm. 


The purpose of this document is to summarise our concerns surrounding the key issues from our perspective. 


1. 


LEGAL BASIS FOR PROCESSING 


The good practice recommendation on page 31 states ‘Get consent regardless of whether PECR requires it or 
not’. This has caused tremendous confusion. Some commentators have interpreted this to signal the end of 
legitimate interests. We believe this is extremely misleading and very damaging to the industry. 


If as a result of this recommendation there was to be a move away from legitimate interests, access to data for 
direct marketing purposes would be severely impacted and databases would be destroyed. This could lead to 
the demise of the direct marketing industry, which we do not believe is the intention of the Code. 


However, the good practice recommendation conflicts with GDPR and previous guidance. Recital 47 GDPR 
states “The processing of personal data for direct marketing purposes may be regarded as carried out for a 
legitimate interest”. The ICO Guide to GDPR goes on to say “There are six available lawful bases for processing. 
No single basis is ’better’ or more important than the others — which basis is most appropriate to use will depend 
on your purpose and relationship with the individual.” 


We believe this good practice recommendation should be removed from the Code. 


PROVIDING PRIVACY INFORMATION 


(a) Page 48 of the code states that ‘You must provide privacy information to individuals within a reasonable 
period and at the latest within a month of obtaining their data.....the latest point at which you must provide 
the information is when you first communicate with the individual or disclose their data to someone else. 
However it is important to remember that the one month time limit still applies in these situations.’ 


This will have significant implications, particularly for the postal industry. There are several important steps 
undertaken by reputable postal marketers to ensure data processing is fair and accurate. For example, 
they must firstly source data, check for accuracy, de-duplicate across multiple sources, clean against various 
industry suppression files, then print the marketing material, carry out quality checks, place into envelopes 
and then pass to a postal distributor for delivery. This process usually takes considerably longer than a 
month. Shortcutting the process to remain within the month time-period for notification would 
compromise accuracy and compliance. 


Consideration should also be given to the Mailing Preference Service which states ‘Companies prepare their 
mailings months in advance, therefore it can take up to four months for the service to become fully effective. 
Screening usually takes place early on in the mailing process, which can take several months. Upon 
registering with the MPS you should notice a gradual reduction of unsolicited mailings but please allow 4 
months for the service to become fully effective.’ 


If as a result, advertisers were to move away from postal marketing, there would be greater reliance on 
email, telephone and digital marketing — all of which are perceived to cause far greater nuisance to 
consumers. 


The impact of this type of data processing on an individual is extremely small. As soon as they are 
communicated with the individuals are able to freely exercise their data subject rights. 


We believe the code should reconsider the lead times involved within postal marketing in relation to 
Article 14 notifications. 


(b) Page 50 of the code states that ‘You need to clearly explain the purposes for which you want to process the 


individual’s personal data for. Vague terms such as ‘marketing purposes’, ‘marketing services’ or ‘marketing 
insights’ are not sufficiently clear.’ This has caused confusion as to what information should be provided at 
the point of data collection compared to information that can be provided within a separate privacy notice. 


The ICO’s Guide to PECR states that ‘You should make it clear upfront that you intend to use their details for 
marketing purposes’. Marketing purposes is language that is understood by the consumer. Providing more 
granular explanation at the point of data collection would risk causing confusion and prevent the privacy 
information from being “...concise, intelligible, in clear and plain language’. 


We believe the code should make a distinction between the information that should be provided at point 
of data collection (e.g. marketing purposes) compared to the information to be provided as part of a 
separate privacy notice (e.g. more detailed information). 


3. PROFILING AND DATA ENRICHMENT 


(a) Profiling and data enrichment are an essential part of the direct marketing industry. It protects individuals 


(b 


— 


from receiving irrelevant and unnecessary marketing and helps marketers remove wastage — enabling SMEs 
to remain competitive against larger blue-chip organisations. 


The Code explains that profiling and data enrichment can rely on consent or legitimate interests as long as 
the processing is transparent and fair. This can be managed via DPIAs and LIAs. 


However, the Code has introduced new and undefined phrases of ‘extensive’ and ‘intrusive’ profiling, both 
of which are unlikely to be appropriate under legitimate interests. This has created considerable 
uncertainty and confusion. 


It would suggest that some form of profiling and data enrichment may be acceptable under LI, whereas 
extensive or intrusive profiling will not. However, we do not have a clear understanding of what is meant 


by extensive or intrusive. In any event why should ‘extensive’ profiling not be appropriate? 


We believe the Code should add relevant examples and good practice recommendations to explain what 
is meant by extensive and intrusive. 


Page 60 of the Code states ‘Data matching or appending is where you match the data you already hold on 
individuals with other contact details that you did not already have’. 


We do not believe this is correct. In practice, ‘matching’ and ‘appending’ are two distinct processes. 
From a practitioner’s viewpoint, appending is where additional variables or contact details are added to an 
existing record, whereas matching may simply be used to identify whether an individual exists on two 


databases. 


Whilst we agree that buying additional contact details for existing customers may be unfair (appending), it 
is highly unlikely that simply matching two databases would cause any harm. 


We believe the Code should differentiate between these processes. 


(c) The Code has caused confusion by suggesting two different standards for data matching. 


In the Profiling and Data Enrichment section, it suggests that legitimate interests may be appropriate for 
data matching, subject to the appropriate DPIA and LIA. The section is marketing contact channel neutral. 


However, page 90 the Code states that consent is likely to be required for data matching for social media 
audience targeting. This conflicts with the previous section. 


Data matching (where databases are simply matched, rather than data being appended, see 3b) should be 
treated the same regardless of the eventual marketing communication channel. 


We believe consistency and extra clarification is required for data matching activities. 


DATA BROKING 


Data broking services is defined as collecting data about individuals from a variety of sources, then combining 
it and selling it on to other organisations. The Code explains that both consent and legitimate interest may be 
appropriate, as long as the processing is transparent, fair and lawful. 


However, the Code has caused confusion by including the European Article 29 Working Party example on page 
103, which sets out an opinion from 2013 whereby data brokering requires consent. 


Not only does this opinion conflict with the Code and GDPR, it would also put into question the entire data 
broking industry which typically relies on legitimate interests. We do not believe this is the intention of the 


Code. 


We believe the code should remove the WP29 example from page 103. 


About you 


Q8 


Are you answering as: 


O 


O 
Xx 
O 


An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

An individual acting in a professional capacity 

On behalf of an organisation 

Other 


Please specify the name of your organisation: 


Data Locator Group Limited 


If other please specify: 


O 
oO 


MOO 


[a a E Eel? TAD Es E 


How did you find out about this survey? 


ICO Twitter account 

ICO Facebook account 

ICO LinkedIn account 

ICO website 

ICO newsletter 

ICO staff member 

Colleague 

Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 

If other please specify: 


pO 


